????? Changeup ???????????????????
法執行機関とセキュリティベンダーの協力により、長期にわたってマルウェアの拡散を続けてきたネットワークが閉鎖されました。
Read More
法執行機関とセキュリティベンダーの協力により、長期にわたってマルウェアの拡散を続けてきたネットワークが閉鎖されました。
Read More
Law enforcement agencies and security vendors join forces to take down long running malware delivery network.Read More
summary
Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.
While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.
Figure 1. DroidJack website logo
Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.
Figure 2. DroidJack website logo
On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.
Figure 3. SandroRAT control panel
On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.
Figure 4. DroidJack control panel
Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:
Figure 5. Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps
Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.
In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material. Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.
Figure 6. Disclaimer used in DroidJack marketing
Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job. Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.
Protection summary
Symantec offers the following protection against DroidJack.
Antivirus
summary
Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.
While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.
Figure 1. DroidJack website logo
Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.
Figure 2. DroidJack website logo
On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.
Figure 3. SandroRAT control panel
On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.
Figure 4. DroidJack control panel
Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:
Figure 5. Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps
Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.
In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material. Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.
Figure 6. Disclaimer used in DroidJack marketing
Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job. Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.
Protection summary
Symantec offers the following protection against DroidJack.
Antivirus
FBI、欧州警察組織、その他複数の法執行機関は、Blackshades(別名 W32.Shadesrat)として知られるクリープウェアに関連するサイバー犯罪活動の疑いで数十名を逮捕しました。今回の一斉摘発において、シマンテックは FBI と緊密に連携し、関与した容疑者たちを追跡するための情報を提供しました。今回の摘発作戦により、Blackshades を販売する Web サイトが閉鎖されたため、このマルウェアに関連する活動は大幅に減少すると予想されます。
Blackshades は、初心者レベルのハッカーから高度なサイバー犯罪グループにいたるまで、さまざまな攻撃者によって使用されている有名かつ強力なリモートアクセス型のトロイの木馬(RAT)です。Blackshades は、専用の Web サイト bshades.eu 上で 40 ~ 50 米ドルで販売されていました。手頃な価格で豊富な機能を備えており、攻撃者はこれを使って、侵入先のコンピュータを完全に制御することができます。クリックするだけの簡単なインターフェースから、データを盗み取る、ファイルシステムを閲覧する、スクリーンショットを撮影する、動画を録画する、インスタントメッセージアプリケーションやソーシャルネットワークを操作する、といった処理を実行することができます。
図 1. Blackshades のコマンド & コントロールパネル
今回の逮捕の数日前、FBI は、米国市民を標的とするサイバー犯罪に厳しく対処していくことを宣言し、近日中に捜索、逮捕、起訴を行うという約束を発表したところでした。
図 2. Blackshades の感染件数(2013 年~2014 年)
図 3. Blackshades による被害の上位 5 カ国(2013 年~2014 年)
今回のおとり捜査の一環として、販売元である bshades.eu が閉鎖されたことで、Blackshades の販売と流通には大きな影響があるでしょう。2014 年の Blackshades の活動は大幅に減少すると予想されます。クラック版のビルダーやソースコードは Web 上のいくつかのフォーラムに残ってはいますが、サイバー犯罪者は他のトロイの木馬に移行し始めると予想されます。
Blackshades に対する摘発活動はこれが初めてではありません。FBI は 2012 年、Blackshades プロジェクトへ関与した疑いで、他の 20 名以上と共にマイケル・ホーグ(Michael Hogue)容疑者(別名 xVisceral)を逮捕しました。しかし、その後も販売は継続され、2013 年も Blackshades の活動は増加を続けました。
サイバー犯罪グループは、高度に組織化された攻撃によって数百万ユーロを獲得し、Blackshades に感染したコンピュータを使って巨額の資金移動を行っています。Francophone と呼ばれる最近の活動では、フランスの企業を標的とする金銭の詐取を狙った攻撃で、高度なソーシャルエンジニアリングの手口の一環として Blackshades が使われました。Blackshades 活動に関連する損害の総額を正確に算出するのは困難ですが、個々の事例から推測すると莫大な損失が出ていると考えられます。また、アラブの春においては、政治的な動機による攻撃でも Blackshades が確認されています。騒乱中にリビアとシリアでは、政治活動家を標的として Blackshades の亜種(W32.Shadesrat.C)による攻撃が行われました。
シマンテックは、今回の FBI による摘発を歓迎するとともに、今後も法執行機関および民間のパートナーと協力して、ますます高度化するサイバー犯罪活動に対処いたします。
保護対策
シマンテック製品をお使いのお客様は、以下の検出定義によって Blackshades から保護されています。
ウイルス対策検出定義
侵入防止シグネチャ
シマンテック製品をお使いでない場合に Blackshades として知られるクリープウェアに感染した疑いがあるときは、無償のノートン パワーイレイサーを使ってシステムから除去することができます。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
The FBI, Europol and several other law enforcement agencies have arrested dozens of individuals suspected of cybercriminal activity centered around the malware known as Blackshades (a.k.a. W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, sharing information that allowed the agency to track down those suspected of involvement. As a result of this operation, the website selling Blackshades has been taken down and we expect a significant reduction in activity involving this malware.
Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry level hackers right up to sophisticated cybercriminal groups. Blackshades was sold on a dedicated website, bshades.eu for US$40-$50. Competitively priced, with a rich feature list, Blackshades provides the attacker with complete control over an infected machine. A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.
Figure 1. The Blackshades command-and-control panel
The arrests come just days after the FBI announced that it would take a more aggressive stance against cybercriminals who target American citizens, promising imminent searches, arrests and indictments.
Figure 2. Computers infected with Blackshades (2013 – 2014)
Figure 3. Top 10 countries affected by Blackshades activity (2013 – 2014)
As part of the sting operation, the source of this RAT – bshades.eu – has been taken offline. This will seriously affect the sale and distribution of Blackshades. Symantec expects there to be a significant decrease in activity for Blackshades in 2014. Although cracked builders and the source code for Blackshades remains online on various forums, we expect cybercriminals will begin to adopt other Trojans.
This was not the first law enforcement action taken against Blackshades. In 2012, the FBI arrested Michael Hogue (a.k.a. xVisceral) on suspicion of involvement in the Blackshades project along with over 20 other individuals. However, the malware remained on sale and Blackshades continued to see increased activity in 2013.
Organized cybercriminal groups have netted millions of euro in well-organized attacks, transferring large sums of money using Blackshades infected computers. In a recent operation dubbed Francophone, Blackshades was used as part of a sophisticated social engineering scheme to target French companies in financially motivated attacks. Total financial losses involving Blackshades activity would be hard to accurately gauge, however individual cases indicate they are significant. Blackshades was also observed in politically motivated attacks during The Arab Spring. Political activists were targeted in Libya and Syria during the uprisings with one variant Blackshades (W32.Shadesrat.C).
Symantec welcomes the action taken by the FBI and remains committed to working with law enforcement and private industry partners in the effort to tackle these increasingly sophisticated cybercriminal operations.
Protection
Symantec protects users against Blackshades under the following detection names.
Antivirus detections
Intrusion Prevention Signatures
If you believe you may be infected with Blackshades and are not a Symantec customer, you can use our free tool Norton Power Eraser to remove it from your system.
FBI, 유러폴(Europol)을 포함한 여러 치안 당국이 Blackshades(일명 W32.Shadesrat)라는 크리프웨어(Creepware)를 이용하여 사이버 범죄를 저지른 혐의로 수십 명을 체포했습니다. 시만텍은 이번 공동 작전에서 FBI와 긴밀하게 협조하며 정보를 공유함으로써 FBI가 혐의자를 추적하는 데 기여했습니다. 이번 작전의 성과로 Blackshades를 판매하던 웹 사이트가 폐쇄되었으며 이 악성 코드와 관련된 범죄 활동이 크게 줄어들 것으로 기대됩니다.
Blackshades는 매우 효과적인 원격 액세스 트로이 목마(remote access Trojan, RAT)로, 초보 해커부터 전문적인 사이버 범죄 조직까지 광범위한 계층에서 애용되어 왔습니다. Blackshades는 bshades.eu라는 전문 웹 사이트에서 40 ~ 50달러의 부담 없는 가격에 판매되었습니다. 공격자는 Blackshades의 다양한 기능을 활용하여 감염된 시스템을 완전히 제어할 수 있습니다. 간단한 포인트 앤 클릭 방식의 인터페이스를 통해 데이터 유출, 파일 시스템 탐색, 스크린샷 생성, 동영상 녹화뿐 아니라 인스턴트 메시징 애플리케이션 및 소셜 네트워크와의 상호 작용도 가능합니다.
그림 1. Blackshades의 명령 및 제어 패널
이번 검거는 FBI가 미국 시민을 노리는 사이버 범죄자에 대해 더 강경하게 대처할 것임을 밝히면서 수색, 체포, 기소가 임박했음을 예고한지 며칠 만에 이루어졌습니다.
그림 2. Blackshades에 감염된 시스템(2013 – 2014)
그림 3. Blackshades 공격 최다 발생 상위 10개국(2013 – 2014)
이번 작전으로 이 RAT의 본거지였던 bshades.eu는 폐쇄되었습니다. 이는 Blackshades의 판매와 보급에 큰 타격을 줄 것입니다. 시만텍은 2014년에 Blackshades 활동이 크게 감소할 것으로 예상합니다. Blackshades의 크랙 빌더와 소스 코드가 아직 여러 온라인 포럼에서 배포되고 있으나 사이버 범죄자들은 이제 다른 트로이 목마를 선택할 것으로 보입니다.
Blackshades의 단속에 나선 것은 이번이 처음은 아닙니다. 2012년에 FBI는 Blackshades 프로젝트에 연루된 혐의로 Michael Hogue(일명 xVisceral)를 포함하여 20여 명을 체포한 바 있습니다. 그럼에도 이 악성 코드의 판매는 계속되었고 Blackshades 활동은 2013년에 더욱 기승을 부렸습니다.
조직화된 사이버 범죄 집단들이 체계적인 공격을 통해 Blackshades에 감염된 시스템을 통해 막대한 자금을 이체하는 방법으로 수백만 유로의 순수입을 거두었습니다. Francophone이라는 별칭으로 알려진 최근 공격에서는 금전적인 동기로 프랑스 기업들을 표적으로 삼은 고도의 지능적인 사회 공학적 수법에 Blackshades가 사용되었습니다. Blackshades 공격으로 인한 경제적 손실의 총 규모를 정확하게 파악하기는 어렵지만, 개별 사례로 미루어볼 때 그 피해가 막대함을 알 수 있습니다. Blackshades는 아랍의 봄에서 정치적 동기를 지닌 공격에서도 이용된 바 있습니다. 리비아와 시리아에 봉기가 일어났던 시기에 정치 운동가들이 Blackshades 변종(W32.Shadesrat.C)의 공격을 받았습니다.
시만텍은 FBI의 이번 조치를 환영하며 앞으로도 더욱 지능화되는 사이버 범죄 활동의 퇴치를 위해 치안 기관 및 민간 업체 파트너와 협력하여 최선을 다할 것입니다.
보호
시만텍은 아래와 같이 Blackshades로부터 사용자를 보호합니다.
안티바이러스 탐지
침입 차단 시그니처
시만텍 고객이 아니더라도 Blackshades라는 크리프웨어에 감염된 것으로 의심될 경우 무료 툴인 Norton Power Eraser를 사용하여 시스템에서 이 크리프웨어를 제거할 수 있습니다.